No, we did not sell Tor users out to the FBI for $1 million, Carnegie Mellon (more or less) has said.
Carnegie Mellon on Wednesday tersely wrote that recent media reports – one assumes it’s talking about reports that its Software Engineering Institute had accepted such a payment – were “inaccurate.”
No, the university implied, no money exchanged hands.
In fact, this seems to have been more of a legalistic mugging than a sale.
From the statement:
In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.
That’s not how the Tor Project was telling it.
Tor’s director, Roger Dingledine, said in a blog post last Wednesday that an unspecified party told Tor that Carnegie Mellon had received a payment of “at least $1 million.”
Ever since Operation Onymous – a far-flung, multination bust that snared 410+ supposedly hidden services running 27 dark web markets, by stripping away the concealing layers of the Tor anonymizing service to lay identities bare – the Tor Project has been trying to figure out how it was done.
The Tor Project came to the conclusion that the technique used to pierce the anonymizing layers of Tor was the same as that discovered by Carnegie Mellon researchers.
Specifically, in the months before the Operation Onymous attack, research from CMU described a way to de-anonymize Bitcoin users that allows for the linkage of user pseudonyms to the IP addresses from which the transactions are generated, even when used on Tor.
Two Carnegie Mellon researchers subsequently canceled a Black Hat 2014 talk about how easy they found it to break Tor.
The trail of evidence provides yet more clues that link the FBI’s penetration of Tor to Carnegie Mellon’s research.
But if Carnegie Mellon is to be believed, no researchers profited from the FBI’s use of its technique – if in fact that’s how the FBI did what it did.
Questions remain, particularly as far as the Tor Project is concerned.
Tor Project spokesperson Kate Krauss told Wired that Tor would still like to learn how the FBI might have known what to subpoena from Carnegie Mellon, and whether Carnegie Mellon’s Institutional Review Board approved of its Tor research.
Wired posed those questions to a Carnegie Mellon public relations staffer, but the university declined to comment beyond its statement.
David
Lisa, one needs to parse CMU’s statement – especially in the light of their unwillingness to elaborate – *very* carefully. OK, CMU were not paid for releasing the data to the FBI ‘under subpoena’. But they are not denying unearthing the data, or that that activity was funded by a federal contract. They are only denying being paid just for handing it over.